anyone got advice on sendmail and TLS on 8.1?
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Oct 13 18:01:10 UTC 2010
On 11 Oct 2010, at 17:14, John Baldwin wrote:
>> TLS and authenticated email submission by me and my family
>> able to forward the email anywhere (maybe just to my ISP but who
>> knows) (outgoing)
>> non TLS submission from outside to reject all mail not to
>> elischer.{org,com}
>> and deliver our mail to mailboxes or gmail (or where-ever /etc/aliases
>> says.).
I do pretty much this; from my *.mc:
1. Keys as usual - with limited CA trusted
define(`confCACERT', `/etc/pikmeer.webweaving.org.pem')
define(`confCACERT_PATH', `/etc/ca-trusted')
define(`confSERVER_CERT', `/etc/pikmeer.webweaving.org.pem')
define(`confSERVER_KEY', `/etc/pikmeer.webweaving.org.key')
And then at the bottom:
dnl accept signed certs too - equivalent to SASL authenticated
LOCAL_RULESETS
SLocal_check_rcpt
R$* $: $&{verify}
ROK $# OK
And then in the access file or ct/cw file just allow relay for , in your case, elisher. I do the verify as a local ruleset - as I also allow a SASL
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5')
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 ')
dnl define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')
define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLFile')
define(`confRUN_AS_USER',`root:mail')
on any SSL inbounds in lieu of a cert.
Dw.
More information about the freebsd-hackers
mailing list